aws-sdk-cognitoidentityprovider 1.65.0 → 1.68.0

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -52,7 +52,7 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] event_action
     #   The action to take in response to the account takeover action. Valid
-    #   values are:
+    #   values are as follows:
     #
     #   * `BLOCK` Choosing this action will block the request.
     #
@@ -354,11 +354,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Boolean]
     #
     # @!attribute [rw] unused_account_validity_days
-    #   The user account expiration limit, in days, after which the account
-    #   is no longer usable. To reset the account after that time limit, you
-    #   must call `AdminCreateUser` again, specifying `"RESEND"` for the
-    #   `MessageAction` parameter. The default value for this parameter is
-    #   7.
+    #   The user account expiration limit, in days, after which a new
+    #   account that hasn't signed in is no longer usable. To reset the
+    #   account after that time limit, you must call `AdminCreateUser`
+    #   again, specifying `"RESEND"` for the `MessageAction` parameter. The
+    #   default value for this parameter is 7.
     #
     #   <note markdown="1"> If you set a value for `TemporaryPasswordValidityDays` in
     #   `PasswordPolicy`, that value will be used, and
@@ -1127,9 +1127,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::ContextDataType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminInitiateAuthRequest AWS API Documentation
@@ -1185,9 +1187,21 @@ module Aws::CognitoIdentityProvider
     #     enabled to use this flow.
     #
     #   * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
-    #     their passwords after successful first login. This challenge
-    #     should be passed with `NEW_PASSWORD` and any other required
-    #     attributes.
+    #     their passwords after successful first login. Respond to this
+    #     challenge with `NEW_PASSWORD` and any required attributes that
+    #     Amazon Cognito returned in the `requiredAttributes` parameter. You
+    #     can also set values for attributes that aren't required by your
+    #     user pool and that your app client can write. For more
+    #     information, see [AdminRespondToAuthChallenge][1].
+    #
+    #     <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
+    #     a required attribute that already has a value. In
+    #     `AdminRespondToAuthChallenge`, set a value for any keys that
+    #     Amazon Cognito returned in the `requiredAttributes` parameter,
+    #     then use the `AdminUpdateUserAttributes` API operation to modify
+    #     the value of any additional attributes.
+    #
+    #      </note>
     #
     #   * `MFA_SETUP`\: For users who are required to set up an MFA factor
     #     before they can sign in. The MFA types activated for the user pool
@@ -1200,6 +1214,10 @@ module Aws::CognitoIdentityProvider
     #     complete sign-in. To set up SMS MFA, users will need help from an
     #     administrator to add a phone number to their account and then call
     #     `InitiateAuth` again to restart sign-in.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -1267,12 +1285,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] destination_user
     #   The existing user in the user pool that you want to assign to the
-    #   external identity provider user account. This user can be a native
-    #   (Username + Password) Amazon Cognito user pools user or a federated
-    #   user (for example, a SAML or Facebook user). If the user doesn't
-    #   exist, Amazon Cognito generates an exception. Amazon Cognito returns
-    #   this user when the new user (with the linked identity provider
-    #   attribute) signs in.
+    #   external IdP user account. This user can be a native (Username +
+    #   Password) Amazon Cognito user pools user or a federated user (for
+    #   example, a SAML or Facebook user). If the user doesn't exist,
+    #   Amazon Cognito generates an exception. Amazon Cognito returns this
+    #   user when the new user (with the linked IdP attribute) signs in.
     #
     #   For a native username + password user, the `ProviderAttributeValue`
     #   for the `DestinationUser` should be the username in the user pool.
@@ -1289,30 +1306,29 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::ProviderUserIdentifierType]
     #
     # @!attribute [rw] source_user
-    #   An external identity provider account for a user who doesn't exist
-    #   yet in the user pool. This user must be a federated user (for
-    #   example, a SAML or Facebook user), not another native user.
+    #   An external IdP account for a user who doesn't exist yet in the
+    #   user pool. This user must be a federated user (for example, a SAML
+    #   or Facebook user), not another native user.
     #
-    #   If the `SourceUser` is using a federated social identity provider,
-    #   such as Facebook, Google, or Login with Amazon, you must set the
-    #   `ProviderAttributeName` to `Cognito_Subject`. For social identity
-    #   providers, the `ProviderName` will be `Facebook`, `Google`, or
-    #   `LoginWithAmazon`, and Amazon Cognito will automatically parse the
-    #   Facebook, Google, and Login with Amazon tokens for `id`, `sub`, and
-    #   `user_id`, respectively. The `ProviderAttributeValue` for the user
-    #   must be the same value as the `id`, `sub`, or `user_id` value found
-    #   in the social identity provider token.
+    #   If the `SourceUser` is using a federated social IdP, such as
+    #   Facebook, Google, or Login with Amazon, you must set the
+    #   `ProviderAttributeName` to `Cognito_Subject`. For social IdPs, the
+    #   `ProviderName` will be `Facebook`, `Google`, or `LoginWithAmazon`,
+    #   and Amazon Cognito will automatically parse the Facebook, Google,
+    #   and Login with Amazon tokens for `id`, `sub`, and `user_id`,
+    #   respectively. The `ProviderAttributeValue` for the user must be the
+    #   same value as the `id`, `sub`, or `user_id` value found in the
+    #   social IdP token.
     #
     #
     #
     #   For SAML, the `ProviderAttributeName` can be any value that matches
     #   a claim in the SAML assertion. If you want to link SAML users based
     #   on the subject of the SAML assertion, you should map the subject to
-    #   a claim through the SAML identity provider and submit that claim
-    #   name as the `ProviderAttributeName`. If you set
-    #   `ProviderAttributeName` to `Cognito_Subject`, Amazon Cognito will
-    #   automatically parse the default unique identifier found in the
-    #   subject from the SAML token.
+    #   a claim through the SAML IdP and submit that claim name as the
+    #   `ProviderAttributeName`. If you set `ProviderAttributeName` to
+    #   `Cognito_Subject`, Amazon Cognito will automatically parse the
+    #   default unique identifier found in the subject from the SAML token.
     #   @return [Types::ProviderUserIdentifierType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminLinkProviderForUserRequest AWS API Documentation
@@ -1679,9 +1695,22 @@ module Aws::CognitoIdentityProvider
     #   * `ADMIN_NO_SRP_AUTH`\: `PASSWORD`, `USERNAME`, `SECRET_HASH` (if
     #     app client is configured with client secret).
     #
-    #   * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
-    #     attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
-    #     with client secret).
+    #   * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
+    #     `SECRET_HASH` (if app client is configured with client secret). To
+    #     set any required attributes that Amazon Cognito returned as
+    #     `requiredAttributes` in the `AdminInitiateAuth` response, add a
+    #     `userAttributes.attributename ` parameter. This parameter can also
+    #     set values for writable attributes that aren't required by your
+    #     user pool.
+    #
+    #     <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
+    #     a required attribute that already has a value. In
+    #     `AdminRespondToAuthChallenge`, set a value for any keys that
+    #     Amazon Cognito returned in the `requiredAttributes` parameter,
+    #     then use the `AdminUpdateUserAttributes` API operation to modify
+    #     the value of any additional attributes.
+    #
+    #      </note>
     #
     #   * `MFA_SETUP` requires `USERNAME`, plus you must use the session
     #     value returned by `VerifySoftwareToken` in the `Session`
@@ -1710,9 +1739,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::ContextDataType]
     #
     # @!attribute [rw] client_metadata
@@ -2089,6 +2120,22 @@ module Aws::CognitoIdentityProvider
     #
     #   For custom attributes, you must prepend the `custom:` prefix to the
     #   attribute name.
+    #
+    #   If your user pool requires verification before Amazon Cognito
+    #   updates an attribute value that you specify in this request, Amazon
+    #   Cognito doesn’t immediately update the value of that attribute.
+    #   After your user receives and responds to a verification message to
+    #   verify the new value, Amazon Cognito updates the attribute value.
+    #   Your user can sign in and receive messages with the original
+    #   attribute value until they verify the new value.
+    #
+    #   To update the value of an attribute that requires verification in
+    #   the same API request, include the `email_verified` or
+    #   `phone_number_verified` attribute, with a value of `true`. If you
+    #   set the `email_verified` or `phone_number_verified` value for an
+    #   `email` or `phone_number` attribute that requires verification to
+    #   `true`, Amazon Cognito doesn’t send a verification message to your
+    #   user.
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] client_metadata
@@ -2181,12 +2228,15 @@ module Aws::CognitoIdentityProvider
     class AdminUserGlobalSignOutResponse < Aws::EmptyStructure; end
 
     # This exception is thrown when a user tries to confirm the account with
-    # an email or phone number that has already been supplied as an alias
-    # from a different account. This exception tells user that an account
-    # with this email or phone already exists.
+    # an email address or phone number that has already been supplied as an
+    # alias for a different user profile. This exception indicates that an
+    # account with this email address or phone already exists in a user pool
+    # that you've configured to use email address or phone number as a
+    # sign-in alias.
     #
     # @!attribute [rw] message
-    #   The message sent to the user when an alias exists.
+    #   The message that Amazon Cognito sends to the user when the value of
+    #   an alias attribute is already linked to another user profile.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AliasExistsException AWS API Documentation
@@ -2197,8 +2247,8 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The Amazon Pinpoint analytics configuration for collecting metrics for
-    # a user pool.
+    # The Amazon Pinpoint analytics configuration necessary to collect
+    # metrics for a user pool.
     #
     # <note markdown="1"> In Regions where Amazon Pinpointisn't available, user pools only
     # support sending events to Amazon Pinpoint projects in us-east-1. In
@@ -2226,7 +2276,7 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You
     #   can use the Amazon Pinpoint project to integrate with the chosen
     #   user pool Client. Amazon Cognito publishes events to the Amazon
-    #   Pinpointproject declared by the app ARN.
+    #   Pinpoint project that the app ARN declares.
     #   @return [String]
     #
     # @!attribute [rw] role_arn
@@ -2239,8 +2289,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] user_data_shared
-    #   If `UserDataShared` is `true`, Amazon Cognito will include user data
-    #   in the events it publishes to Amazon Pinpoint analytics.
+    #   If `UserDataShared` is `true`, Amazon Cognito includes user data in
+    #   the events that it publishes to Amazon Pinpoint analytics.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AnalyticsConfigurationType AWS API Documentation
@@ -2259,12 +2309,14 @@ module Aws::CognitoIdentityProvider
     #
     # An endpoint uniquely identifies a mobile device, email address, or
     # phone number that can receive messages from Amazon Pinpoint analytics.
+    # For more information about Amazon Web Services Regions that can
+    # contain Amazon Pinpoint resources for use with Amazon Cognito user
+    # pools, see [Using Amazon Pinpoint analytics with Amazon Cognito user
+    # pools][1].
     #
-    # <note markdown="1"> Amazon Cognito user pools only support sending events to Amazon
-    # Pinpoint projects in the US East (N. Virginia) us-east-1 Region,
-    # regardless of the Region where the user pool resides.
     #
-    #  </note>
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html
     #
     # @note When making an API call, you may pass AnalyticsMetadataType
     #   data as a hash:
@@ -2294,7 +2346,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   software token you want to generate.
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -2313,8 +2366,8 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] secret_code
-    #   A unique generated shared secret code that is used in the time-based
-    #   one-time password (TOTP) algorithm to generate a one-time code.
+    #   A unique generated shared secret code that is used in the TOTP
+    #   algorithm to generate a one-time code.
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -2414,7 +2467,8 @@ module Aws::CognitoIdentityProvider
     # The authentication result.
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user who you
+    #   want to authenticate.
     #   @return [String]
     #
     # @!attribute [rw] expires_in
@@ -2489,7 +2543,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   password you want to change.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ChangePasswordRequest AWS API Documentation
@@ -2508,18 +2563,21 @@ module Aws::CognitoIdentityProvider
     #
     class ChangePasswordResponse < Aws::EmptyStructure; end
 
-    # The code delivery details being returned from the server.
+    # The delivery details for an email or SMS message that Amazon Cognito
+    # sent for authentication or verification.
     #
     # @!attribute [rw] destination
-    #   The destination for the code delivery details.
+    #   The email address or phone number destination where Amazon Cognito
+    #   sent the code.
     #   @return [String]
     #
     # @!attribute [rw] delivery_medium
-    #   The delivery medium (email message or phone number).
+    #   The method that Amazon Cognito used to send the code.
     #   @return [String]
     #
     # @!attribute [rw] attribute_name
-    #   The attribute name.
+    #   The name of the attribute that Amazon Cognito verifies with the
+    #   code.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CodeDeliveryDetailsType AWS API Documentation
@@ -2645,7 +2703,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   device you want to confirm.
     #   @return [String]
     #
     # @!attribute [rw] device_key
@@ -2701,6 +2760,7 @@ module Aws::CognitoIdentityProvider
     #           analytics_endpoint_id: "StringType",
     #         },
     #         user_context_data: {
+    #           ip_address: "StringType",
     #           encoded_data: "StringType",
     #         },
     #         client_metadata: {
@@ -2724,8 +2784,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] confirmation_code
-    #   The confirmation code sent by a user's request to retrieve a
-    #   forgotten password. For more information, see [ForgotPassword][1].
+    #   The confirmation code from your user's request to reset their
+    #   password. For more information, see [ForgotPassword][1].
     #
     #
     #
@@ -2733,8 +2793,7 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] password
-    #   The password sent by a user's request to retrieve a forgotten
-    #   password.
+    #   The new password that your user wants to set.
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
@@ -2743,9 +2802,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] user_context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] client_metadata
@@ -2823,6 +2884,7 @@ module Aws::CognitoIdentityProvider
     #           analytics_endpoint_id: "StringType",
     #         },
     #         user_context_data: {
+    #           ip_address: "StringType",
     #           encoded_data: "StringType",
     #         },
     #         client_metadata: {
@@ -2865,9 +2927,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] user_context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] client_metadata
@@ -2950,7 +3014,7 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] ip_address
-    #   Source IP address of your user.
+    #   The source IP address of your user's device.
     #   @return [String]
     #
     # @!attribute [rw] server_name
@@ -2966,8 +3030,14 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::HttpHeader>]
     #
     # @!attribute [rw] encoded_data
-    #   Encoded data containing device fingerprinting details collected
-    #   using the Amazon Cognito context data collection library.
+    #   Encoded device-fingerprint details that your app collected with the
+    #   Amazon Cognito context data collection library. For more
+    #   information, see [Adding user device and session data to API
+    #   requests][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ContextDataType AWS API Documentation
@@ -3013,7 +3083,7 @@ module Aws::CognitoIdentityProvider
     #   A non-negative integer value that specifies the precedence of this
     #   group relative to the other groups that a user can belong to in the
     #   user pool. Zero is the highest precedence value. Groups with lower
-    #   `Precedence` values take precedence over groups with higher ornull
+    #   `Precedence` values take precedence over groups with higher or null
     #   `Precedence` values. If a user belongs to two or more groups, it is
     #   the group with the lowest precedence value whose role ARN is given
     #   in the user's tokens for the `cognito:roles` and
@@ -3026,7 +3096,8 @@ module Aws::CognitoIdentityProvider
     #   group. If the two groups have different role ARNs, the
     #   `cognito:preferred_role` claim isn't set in users' tokens.
     #
-    #   The default `Precedence` value is null.
+    #   The default `Precedence` value is null. The maximum `Precedence`
+    #   value is `2^31-1`.
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateGroupRequest AWS API Documentation
@@ -3074,16 +3145,16 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] provider_name
-    #   The identity provider name.
+    #   The IdP name.
     #   @return [String]
     #
     # @!attribute [rw] provider_type
-    #   The identity provider type.
+    #   The IdP type.
     #   @return [String]
     #
     # @!attribute [rw] provider_details
-    #   The identity provider details. The following list describes the
-    #   provider detail keys for each identity provider type.
+    #   The IdP details. The following list describes the provider detail
+    #   keys for each IdP type.
     #
     #   * For Google and Login with Amazon:
     #
@@ -3127,35 +3198,38 @@ module Aws::CognitoIdentityProvider
     #
     #     * authorize\_scopes
     #
-    #     * authorize\_url *if not available from discovery URL specified by
-    #       oidc\_issuer key*
+    #     * The following keys are only present if Amazon Cognito didn't
+    #       discover them at the `oidc_issuer` URL.
+    #
+    #       * authorize\_url
+    #
+    #       * token\_url
     #
-    #     * token\_url *if not available from discovery URL specified by
-    #       oidc\_issuer key*
+    #       * attributes\_url
     #
-    #     * attributes\_url *if not available from discovery URL specified
-    #       by oidc\_issuer key*
+    #       * jwks\_uri
     #
-    #     * jwks\_uri *if not available from discovery URL specified by
-    #       oidc\_issuer key*
+    #     * Amazon Cognito sets the value of the following keys
+    #       automatically. They are read-only.
     #
-    #     * attributes\_url\_add\_attributes *a read-only property that is
-    #       set automatically*
+    #       * attributes\_url\_add\_attributes
+    #
+    #       ^
     #
     #   * For SAML providers:
     #
-    #     * MetadataFile OR MetadataURL
+    #     * MetadataFile or MetadataURL
     #
-    #     * IDPSignout (optional)
+    #     * IDPSignout *optional*
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] attribute_mapping
-    #   A mapping of identity provider attributes to standard and custom
-    #   user pool attributes.
+    #   A mapping of IdP attributes to standard and custom user pool
+    #   attributes.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] idp_identifiers
-    #   A list of identity provider identifiers.
+    #   A list of IdP identifiers.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderRequest AWS API Documentation
@@ -3172,7 +3246,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The newly created identity provider object.
+    #   The newly created IdP object.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderResponse AWS API Documentation
@@ -3326,6 +3400,7 @@ module Aws::CognitoIdentityProvider
     #         },
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #         enable_token_revocation: false,
+    #         enable_propagate_additional_user_context_data: false,
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -3343,26 +3418,53 @@ module Aws::CognitoIdentityProvider
     #   @return [Boolean]
     #
     # @!attribute [rw] refresh_token_validity
-    #   The time limit, in days, after which the refresh token is no longer
-    #   valid and can't be used.
+    #   The refresh token time limit. After this limit expires, your user
+    #   can't use their refresh token. To specify the time unit for
+    #   `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
+    #   set a `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `RefreshTokenValidity` as `10` and
+    #   `TokenValidityUnits` as `days`, your user can refresh their session
+    #   and retrieve new access and ID tokens for 10 days.
+    #
+    #   The default time unit for `RefreshTokenValidity` in an API request
+    #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
+    #   Amazon Cognito overrides the value with the default value of 30
+    #   days. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
-    #   The time limit, between 5 minutes and 1 day, after which the access
-    #   token is no longer valid and can't be used. If you supply a
-    #   TokenValidityUnits value, you will override the default time unit.
+    #   The access token time limit. After this limit expires, your user
+    #   can't use their access token. To specify the time unit for
+    #   `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
+    #   set a `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `AccessTokenValidity` to `10` and
+    #   `TokenValidityUnits` to `hours`, your user can authorize access with
+    #   their access token for 10 hours.
+    #
+    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   hours. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
-    #   The time limit, between 5 minutes and 1 day, after which the access
-    #   token is no longer valid and can't be used. If you supply a
-    #   TokenValidityUnits value, you will override the default time unit.
+    #   The ID token time limit. After this limit expires, your user can't
+    #   use their ID token. To specify the time unit for `IdTokenValidity`
+    #   as `seconds`, `minutes`, `hours`, or `days`, set a
+    #   `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `IdTokenValidity` as `10` and
+    #   `TokenValidityUnits` as `hours`, your user can authenticate their
+    #   session with their ID token for 10 hours.
+    #
+    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   hours. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
-    #   The units in which the validity times are represented. Default for
-    #   RefreshToken is days, and default for ID and access tokens are
-    #   hours.
+    #   The units in which the validity times are represented. The default
+    #   unit for RefreshToken is days, and default for ID and access tokens
+    #   are hours.
     #   @return [Types::TokenValidityUnitsType]
     #
     # @!attribute [rw] read_attributes
@@ -3372,14 +3474,13 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] write_attributes
     #   The user pool attributes that the app client can write to.
     #
-    #   If your app client allows users to sign in through an identity
-    #   provider, this array must include all attributes that you have
-    #   mapped to identity provider attributes. Amazon Cognito updates
-    #   mapped attributes when users sign in to your application through an
-    #   identity provider. If your app client does not have write access to
-    #   a mapped attribute, Amazon Cognito throws an error when it tries to
-    #   update the attribute. For more information, see [Specifying Identity
-    #   Provider Attribute Mappings for Your user pool][1].
+    #   If your app client allows users to sign in through an IdP, this
+    #   array must include all attributes that you have mapped to IdP
+    #   attributes. Amazon Cognito updates mapped attributes when users sign
+    #   in to your application through an IdP. If your app client does not
+    #   have write access to a mapped attribute, Amazon Cognito throws an
+    #   error when it tries to update the attribute. For more information,
+    #   see [Specifying IdP Attribute Mappings for Your user pool][1].
     #
     #
     #
@@ -3398,34 +3499,46 @@ module Aws::CognitoIdentityProvider
     #
     #   Valid values include:
     #
-    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
-    #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
-    #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
-    #     authentication flow, Amazon Cognito receives the password in the
-    #     request instead of using the Secure Remote Password (SRP) protocol
-    #     to verify passwords.
+    #   ALLOW\_ADMIN\_USER\_PASSWORD\_AUTH
     #
-    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
+    #   : Enable admin based user password authentication flow
+    #     `ADMIN_USER_PASSWORD_AUTH`. This setting replaces the
+    #     `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, Amazon
+    #     Cognito receives the password in the request instead of using the
+    #     Secure Remote Password (SRP) protocol to verify passwords.
     #
-    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
-    #     authentication. In this flow, Amazon Cognito receives the password
-    #     in the request instead of using the SRP protocol to verify
-    #     passwords.
+    #   ALLOW\_CUSTOM\_AUTH
     #
-    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
+    #   : Enable Lambda trigger based authentication.
     #
-    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
+    #   ALLOW\_USER\_PASSWORD\_AUTH
+    #
+    #   : Enable user password-based authentication. In this flow, Amazon
+    #     Cognito receives the password in the request instead of using the
+    #     SRP protocol to verify passwords.
+    #
+    #   ALLOW\_USER\_SRP\_AUTH
+    #
+    #   : Enable SRP-based authentication.
+    #
+    #   ALLOW\_REFRESH\_TOKEN\_AUTH
+    #
+    #   : Enable the authflow that refreshes tokens.
+    #
+    #   If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
-    #   A list of provider names for the identity providers that are
+    #   A list of provider names for the identity providers (IdPs) that are
     #   supported on this client. The following are supported: `COGNITO`,
-    #   `Facebook`, `Google` and `LoginWithAmazon`.
+    #   `Facebook`, `Google`, `SignInWithApple`, and `LoginWithAmazon`. You
+    #   can also specify the names that you configured for the SAML and OIDC
+    #   IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] callback_urls
-    #   A list of allowed redirect (callback) URLs for the identity
-    #   providers.
+    #   A list of allowed redirect (callback) URLs for the IdPs.
     #
     #   A redirect URI must:
     #
@@ -3448,7 +3561,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] logout_urls
-    #   A list of allowed logout URLs for the identity providers.
+    #   A list of allowed logout URLs for the IdPs.
     #   @return [Array<String>]
     #
     # @!attribute [rw] default_redirect_uri
@@ -3477,22 +3590,28 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] allowed_o_auth_flows
     #   The allowed OAuth flows.
     #
-    #   Set to `code` to initiate a code grant flow, which provides an
-    #   authorization code as the response. This code can be exchanged for
-    #   access tokens with the token endpoint.
+    #   code
+    #
+    #   : Use a code grant flow, which provides an authorization code as the
+    #     response. This code can be exchanged for access tokens with the
+    #     `/oauth2/token` endpoint.
     #
-    #   Set to `implicit` to specify that the client should get the access
-    #   token (and, optionally, ID token, based on scopes) directly.
+    #   implicit
     #
-    #   Set to `client_credentials` to specify that the client should get
-    #   the access token (and, optionally, ID token, based on scopes) from
-    #   the token endpoint using a combination of client and client\_secret.
+    #   : Issue the access token (and, optionally, ID token, based on
+    #     scopes) directly to your user.
+    #
+    #   client\_credentials
+    #
+    #   : Issue the access token from the `/oauth2/token` endpoint directly
+    #     to a non-person user using a combination of the client ID and
+    #     client secret.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_scopes
-    #   The allowed OAuth scopes. Possible values provided by OAuth are:
+    #   The allowed OAuth scopes. Possible values provided by OAuth are
     #   `phone`, `email`, `openid`, and `profile`. Possible values provided
-    #   by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
+    #   by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
     #   scopes created in Resource Servers are also supported.
     #   @return [Array<String>]
     #
@@ -3545,6 +3664,20 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
     #   @return [Boolean]
     #
+    # @!attribute [rw] enable_propagate_additional_user_context_data
+    #   Activates the propagation of additional user context data. For more
+    #   information about propagation of user context data, see [ Adding
+    #   advanced security to a user pool][1]. If you don’t include this
+    #   parameter, you can't send device fingerprint information, including
+    #   source IP address, to Amazon Cognito advanced security. You can only
+    #   activate `EnablePropagateAdditionalUserContextData` in an app client
+    #   that has a client secret.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClientRequest AWS API Documentation
     #
     class CreateUserPoolClientRequest < Struct.new(
@@ -3567,7 +3700,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors,
-      :enable_token_revocation)
+      :enable_token_revocation,
+      :enable_propagate_additional_user_context_data)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3700,6 +3834,9 @@ module Aws::CognitoIdentityProvider
     #         },
     #         sms_authentication_message: "SmsVerificationMessageType",
     #         mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
+    #         user_attribute_update_settings: {
+    #           attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
+    #         },
     #         device_configuration: {
     #           challenge_required_on_new_device: false,
     #           device_only_remembered_on_user_prompt: false,
@@ -3813,8 +3950,8 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] email_verification_message
     #   A string representing the email verification message.
-    #   EmailVerificationMessage is allowed only if [EmailSendingAccount][1]
-    #   is DEVELOPER.
+    #   `EmailVerificationMessage` is allowed only if
+    #   [EmailSendingAccount][1] is DEVELOPER.
     #
     #
     #
@@ -3823,8 +3960,8 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] email_verification_subject
     #   A string representing the email verification subject.
-    #   EmailVerificationSubject is allowed only if [EmailSendingAccount][1]
-    #   is DEVELOPER.
+    #   `EmailVerificationSubject` is allowed only if
+    #   [EmailSendingAccount][1] is DEVELOPER.
     #
     #
     #
@@ -3844,8 +3981,28 @@ module Aws::CognitoIdentityProvider
     #   Specifies MFA configuration details.
     #   @return [String]
     #
+    # @!attribute [rw] user_attribute_update_settings
+    #   The settings for updates to user attributes. These settings include
+    #   the property `AttributesRequireVerificationBeforeUpdate`, a
+    #   user-pool setting that tells Amazon Cognito how to handle changes to
+    #   the value of your users' email address and phone number attributes.
+    #   For more information, see [ Verifying updates to email addresses and
+    #   phone numbers][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
+    #   @return [Types::UserAttributeUpdateSettingsType]
+    #
     # @!attribute [rw] device_configuration
-    #   The device configuration.
+    #   The device-remembering configuration for a user pool. A null value
+    #   indicates that you have deactivated device remembering in your user
+    #   pool.
+    #
+    #   <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
+    #   activate the Amazon Cognito device-remembering feature.
+    #
+    #    </note>
     #   @return [Types::DeviceConfigurationType]
     #
     # @!attribute [rw] email_configuration
@@ -3921,6 +4078,7 @@ module Aws::CognitoIdentityProvider
       :verification_message_template,
       :sms_authentication_message,
       :mfa_configuration,
+      :user_attribute_update_settings,
       :device_configuration,
       :email_configuration,
       :sms_configuration,
@@ -4071,7 +4229,7 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] provider_name
-    #   The identity provider name.
+    #   The IdP name.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteIdentityProviderRequest AWS API Documentation
@@ -4127,7 +4285,8 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] access_token
-    #   The access token used in the request to delete user attributes.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   attributes you want to delete.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserAttributesRequest AWS API Documentation
@@ -4235,7 +4394,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token from a request to delete a user.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   user profile you want to delete.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserRequest AWS API Documentation
@@ -4259,7 +4419,7 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] provider_name
-    #   The identity provider name.
+    #   The IdP name.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderRequest AWS API Documentation
@@ -4272,7 +4432,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The identity provider that was deleted.
+    #   The IdP that was deleted.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderResponse AWS API Documentation
@@ -4512,11 +4672,12 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The device tracking configuration for a user pool. A user pool with
-    # device tracking deactivated returns a null value.
+    # The device-remembering configuration for a user pool. A null value
+    # indicates that you have deactivated device remembering in your user
+    # pool.
     #
-    # <note markdown="1"> When you provide values for any DeviceConfiguration field, you
-    # activate device tracking.
+    # <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
+    # activate the Amazon Cognito device-remembering feature.
     #
     #  </note>
     #
@@ -4533,17 +4694,23 @@ module Aws::CognitoIdentityProvider
     #   one-time password (TOTP) factors for multi-factor authentication
     #   (MFA).
     #
-    #   <note markdown="1"> Users that sign in with devices that have not been confirmed or
-    #   remembered will still have to provide a second factor, whether or
-    #   not ChallengeRequiredOnNewDevice is true, when your user pool
-    #   requires MFA.
+    #   <note markdown="1"> Regardless of the value of this field, users that sign in with new
+    #   devices that have not been confirmed or remembered must provide a
+    #   second factor if your user pool requires MFA.
     #
     #    </note>
     #   @return [Boolean]
     #
     # @!attribute [rw] device_only_remembered_on_user_prompt
-    #   When true, users can opt in to remembering their device. Your app
-    #   code must use callback functions to return the user's choice.
+    #   When true, Amazon Cognito doesn't remember newly-confirmed devices.
+    #   Users who want to authenticate with their device can instead opt in
+    #   to remembering their device. To collect a choice from your user,
+    #   create an input prompt in your app and return the value that the
+    #   user chooses in an [UpdateDeviceStatus][1] API request.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeviceConfigurationType AWS API Documentation
@@ -4570,7 +4737,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] salt
-    #   The salt.
+    #   The [salt][1]
+    #
+    #
+    #
+    #   [1]: https://en.wikipedia.org/wiki/Salt_(cryptography)
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeviceSecretVerifierConfigType AWS API Documentation
@@ -4762,29 +4933,6 @@ module Aws::CognitoIdentityProvider
     #     of an Amazon SES verified email address for the `SourceArn`
     #     parameter.
     #
-    #     If EmailSendingAccount is COGNITO\_DEFAULT, you can't use the
-    #     following parameters:
-    #
-    #     * EmailVerificationMessage
-    #
-    #     * EmailVerificationSubject
-    #
-    #     * InviteMessageTemplate.EmailMessage
-    #
-    #     * InviteMessageTemplate.EmailSubject
-    #
-    #     * VerificationMessageTemplate.EmailMessage
-    #
-    #     * VerificationMessageTemplate.EmailMessageByLink
-    #
-    #     * VerificationMessageTemplate.EmailSubject,
-    #
-    #     * VerificationMessageTemplate.EmailSubjectByLink
-    #
-    #     <note markdown="1"> DEVELOPER EmailSendingAccount is required.
-    #
-    #      </note>
-    #
     #   DEVELOPER
     #
     #   : When Amazon Cognito emails your users, it uses your Amazon SES
@@ -4794,8 +4942,8 @@ module Aws::CognitoIdentityProvider
     #     to your Amazon SES verified email address in your Amazon Web
     #     Services account.
     #
-    #     If you use this option, you must provide the ARN of an Amazon SES
-    #     verified email address for the `SourceArn` parameter.
+    #     If you use this option, provide the ARN of an Amazon SES verified
+    #     email address for the `SourceArn` parameter.
     #
     #     Before Amazon Cognito can email your users, it requires additional
     #     permissions to call Amazon SES on your behalf. When you update
@@ -4875,7 +5023,7 @@ module Aws::CognitoIdentityProvider
     # request.
     #
     # @!attribute [rw] ip_address
-    #   The user's IP address.
+    #   The source IP address of your user's device.
     #   @return [String]
     #
     # @!attribute [rw] device_name
@@ -4969,6 +5117,22 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # This exception is thrown when WAF doesn't allow your request based on
+    # a web ACL that's associated with your user pool.
+    #
+    # @!attribute [rw] message
+    #   The message returned when WAF doesn't allow your request based on a
+    #   web ACL that's associated with your user pool.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ForbiddenException AWS API Documentation
+    #
+    class ForbiddenException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Represents the request to forget the device.
     #
     # @note When making an API call, you may pass ForgetDeviceRequest
@@ -4980,7 +5144,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token for the forgotten device request.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   registered device you want to forget.
     #   @return [String]
     #
     # @!attribute [rw] device_key
@@ -5005,6 +5170,7 @@ module Aws::CognitoIdentityProvider
     #         client_id: "ClientIdType", # required
     #         secret_hash: "SecretHashType",
     #         user_context_data: {
+    #           ip_address: "StringType",
     #           encoded_data: "StringType",
     #         },
     #         username: "UsernameType", # required
@@ -5027,9 +5193,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] user_context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] username
@@ -5038,8 +5206,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
-    #   The Amazon Pinpoint analytics metadata for collecting metrics for
-    #   `ForgotPassword` calls.
+    #   The Amazon Pinpoint analytics metadata that contributes to your
+    #   metrics for `ForgotPassword` calls.
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] client_metadata
@@ -5094,8 +5262,7 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # Respresents the response from the server regarding the request to
-    # reset a password.
+    # The response from Amazon Cognito to a request to reset a password.
     #
     # @!attribute [rw] code_delivery_details
     #   The code delivery details returned by the server in response to the
@@ -5169,7 +5336,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   device information you want to request.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetDeviceRequest AWS API Documentation
@@ -5245,7 +5413,7 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] idp_identifier
-    #   The identity provider ID.
+    #   The IdP identifier.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierRequest AWS API Documentation
@@ -5258,7 +5426,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The identity provider object.
+    #   The IdP object.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierResponse AWS API Documentation
@@ -5355,8 +5523,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token returned by the server response to get the user
-    #   attribute verification code.
+    #   A non-expired access token for the user whose attribute verification
+    #   code you want to generate.
     #   @return [String]
     #
     # @!attribute [rw] attribute_name
@@ -5448,15 +5616,17 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] sms_mfa_configuration
-    #   The SMS text message multi-factor (MFA) configuration.
+    #   The SMS text message multi-factor authentication (MFA)
+    #   configuration.
     #   @return [Types::SmsMfaConfigType]
     #
     # @!attribute [rw] software_token_mfa_configuration
-    #   The software token multi-factor (MFA) configuration.
+    #   The software token multi-factor authentication (MFA) configuration.
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
     # @!attribute [rw] mfa_configuration
-    #   The multi-factor (MFA) configuration. Valid values include:
+    #   The multi-factor authentication (MFA) configuration. Valid values
+    #   include:
     #
     #   * `OFF` MFA won't be used for any users.
     #
@@ -5486,8 +5656,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token returned by the server response to get information
-    #   about the user.
+    #   A non-expired access token for the user whose information you want
+    #   to query.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserRequest AWS API Documentation
@@ -5552,7 +5722,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user who you
+    #   want to sign out.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GlobalSignOutRequest AWS API Documentation
@@ -5670,23 +5841,23 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # A container for information about an identity provider.
+    # A container for information about an IdP.
     #
     # @!attribute [rw] user_pool_id
     #   The user pool ID.
     #   @return [String]
     #
     # @!attribute [rw] provider_name
-    #   The identity provider name.
+    #   The IdP name.
     #   @return [String]
     #
     # @!attribute [rw] provider_type
-    #   The identity provider type.
+    #   The IdP type.
     #   @return [String]
     #
     # @!attribute [rw] provider_details
-    #   The identity provider details. The following list describes the
-    #   provider detail keys for each identity provider type.
+    #   The IdP details. The following list describes the provider detail
+    #   keys for each IdP type.
     #
     #   * For Google and Login with Amazon:
     #
@@ -5716,6 +5887,9 @@ module Aws::CognitoIdentityProvider
     #
     #     * private\_key
     #
+    #       *You can submit a private\_key when you add or update an IdP.
+    #       Describe operations don't return the private key.*
+    #
     #     * authorize\_scopes
     #
     #   * For OIDC providers:
@@ -5730,43 +5904,46 @@ module Aws::CognitoIdentityProvider
     #
     #     * authorize\_scopes
     #
-    #     * authorize\_url *if not available from discovery URL specified by
-    #       oidc\_issuer key*
+    #     * The following keys are only present if Amazon Cognito didn't
+    #       discover them at the `oidc_issuer` URL.
+    #
+    #       * authorize\_url
     #
-    #     * token\_url *if not available from discovery URL specified by
-    #       oidc\_issuer key*
+    #       * token\_url
     #
-    #     * attributes\_url *if not available from discovery URL specified
-    #       by oidc\_issuer key*
+    #       * attributes\_url
     #
-    #     * jwks\_uri *if not available from discovery URL specified by
-    #       oidc\_issuer key*
+    #       * jwks\_uri
     #
-    #     * attributes\_url\_add\_attributes *a read-only property that is
-    #       set automatically*
+    #     * Amazon Cognito sets the value of the following keys
+    #       automatically. They are read-only.
+    #
+    #       * attributes\_url\_add\_attributes
+    #
+    #       ^
     #
     #   * For SAML providers:
     #
     #     * MetadataFile or MetadataURL
     #
-    #     * IDPSignOut *optional*
+    #     * IDPSignout *optional*
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] attribute_mapping
-    #   A mapping of identity provider attributes to standard and custom
-    #   user pool attributes.
+    #   A mapping of IdP attributes to standard and custom user pool
+    #   attributes.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] idp_identifiers
-    #   A list of identity provider identifiers.
+    #   A list of IdP identifiers.
     #   @return [Array<String>]
     #
     # @!attribute [rw] last_modified_date
-    #   The date the identity provider was last modified.
+    #   The date the IdP was last modified.
     #   @return [Time]
     #
     # @!attribute [rw] creation_date
-    #   The date the identity provider was created.
+    #   The date the IdP was created.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/IdentityProviderType AWS API Documentation
@@ -5802,6 +5979,7 @@ module Aws::CognitoIdentityProvider
     #           analytics_endpoint_id: "StringType",
     #         },
     #         user_context_data: {
+    #           ip_address: "StringType",
     #           encoded_data: "StringType",
     #         },
     #       }
@@ -5830,10 +6008,10 @@ module Aws::CognitoIdentityProvider
     #
     #   * `CUSTOM_AUTH`\: Custom authentication flow.
     #
-    #   * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; USERNAME and
-    #     PASSWORD are passed directly. If a user migration Lambda trigger
+    #   * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; user name and
+    #     password are passed directly. If a user migration Lambda trigger
     #     is set, this flow will invoke the user migration Lambda if it
-    #     doesn't find the USERNAME in the user pool.
+    #     doesn't find the user name in the user pool.
     #
     #   `ADMIN_NO_SRP_AUTH` isn't a valid value.
     #   @return [String]
@@ -5925,14 +6103,16 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
-    #   The Amazon Pinpoint analytics metadata for collecting metrics for
-    #   `InitiateAuth` calls.
+    #   The Amazon Pinpoint analytics metadata that contributes to your
+    #   metrics for `InitiateAuth` calls.
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] user_context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::UserContextDataType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/InitiateAuthRequest AWS API Documentation
@@ -5981,9 +6161,23 @@ module Aws::CognitoIdentityProvider
     #     for devices only.
     #
     #   * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
-    #     their passwords after successful first login. This challenge
-    #     should be passed with `NEW_PASSWORD` and any other required
-    #     attributes.
+    #     their passwords after successful first login.
+    #
+    #     Respond to this challenge with `NEW_PASSWORD` and any required
+    #     attributes that Amazon Cognito returned in the
+    #     `requiredAttributes` parameter. You can also set values for
+    #     attributes that aren't required by your user pool and that your
+    #     app client can write. For more information, see
+    #     [RespondToAuthChallenge][1].
+    #
+    #     <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
+    #     a required attribute that already has a value. In
+    #     `RespondToAuthChallenge`, set a value for any keys that Amazon
+    #     Cognito returned in the `requiredAttributes` parameter, then use
+    #     the `UpdateUserAttributes` API operation to modify the value of
+    #     any additional attributes.
+    #
+    #      </note>
     #
     #   * `MFA_SETUP`\: For users who are required to setup an MFA factor
     #     before they can sign in. The MFA types activated for the user pool
@@ -5996,6 +6190,10 @@ module Aws::CognitoIdentityProvider
     #     complete sign-in. To set up SMS MFA, an administrator should help
     #     the user to add a phone number to their account, and then the user
     #     should call `InitiateAuth` again to restart sign-in.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -6071,7 +6269,7 @@ module Aws::CognitoIdentityProvider
     # Lambda response.
     #
     # @!attribute [rw] message
-    #   The message returned when Amazon Cognito hrows an invalid Lambda
+    #   The message returned when Amazon Cognito throws an invalid Lambda
     #   response exception.
     #   @return [String]
     #
@@ -6308,7 +6506,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access tokens for the request to list devices.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   list of devices you want to view.
     #   @return [String]
     #
     # @!attribute [rw] limit
@@ -6414,7 +6613,7 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] max_results
-    #   The maximum number of identity providers to return.
+    #   The maximum number of IdPs to return.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
@@ -6432,7 +6631,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] providers
-    #   A list of identity provider objects.
+    #   A list of IdP objects.
     #   @return [Array<Types::ProviderDescription>]
     #
     # @!attribute [rw] next_token
@@ -6738,9 +6937,8 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::UserType>]
     #
     # @!attribute [rw] next_token
-    #   An identifier that was returned from the previous call to this
-    #   operation, which can be used to return the next set of items in the
-    #   list.
+    #   An identifier that you can use in a later request to return the next
+    #   set of items in the list.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUsersInGroupResponse AWS API Documentation
@@ -6831,8 +7029,8 @@ module Aws::CognitoIdentityProvider
     #   Custom attributes aren't searchable.
     #
     #   <note markdown="1"> You can also list users with a client-side filter. The server-side
-    #   filter matches no more than 1 attribute. For an advanced search, use
-    #   a client-side filter with the `--query` parameter of the
+    #   filter matches no more than one attribute. For an advanced search,
+    #   use a client-side filter with the `--query` parameter of the
     #   `list-users` action in the CLI. When you use a client-side filter,
     #   ListUsers returns a paginated list of zero or more users. You can
     #   receive multiple pages in a row with zero results. Repeat the query
@@ -7190,8 +7388,8 @@ module Aws::CognitoIdentityProvider
     #   administrator must reset their password.
     #
     #   <note markdown="1"> When you set `TemporaryPasswordValidityDays` for a user pool, you
-    #   can no longer set the deprecated `UnusedAccountValidityDays` value
-    #   for that user pool.
+    #   can no longer set a value for the legacy `UnusedAccountValidityDays`
+    #   parameter in that user pool.
     #
     #    </note>
     #   @return [Integer]
@@ -7237,14 +7435,14 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # A container for identity provider details.
+    # A container for IdP details.
     #
     # @!attribute [rw] provider_name
-    #   The identity provider name.
+    #   The IdP name.
     #   @return [String]
     #
     # @!attribute [rw] provider_type
-    #   The identity provider type.
+    #   The IdP type.
     #   @return [String]
     #
     # @!attribute [rw] last_modified_date
@@ -7266,8 +7464,7 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # A container for information about an identity provider for a user
-    # pool.
+    # A container for information about an IdP for a user pool.
     #
     # @note When making an API call, you may pass ProviderUserIdentifierType
     #   data as a hash:
@@ -7340,6 +7537,7 @@ module Aws::CognitoIdentityProvider
     #         client_id: "ClientIdType", # required
     #         secret_hash: "SecretHashType",
     #         user_context_data: {
+    #           ip_address: "StringType",
     #           encoded_data: "StringType",
     #         },
     #         username: "UsernameType", # required
@@ -7362,9 +7560,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] user_context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] username
@@ -7373,8 +7573,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
-    #   The Amazon Pinpoint analytics metadata for collecting metrics for
-    #   `ResendConfirmationCode` calls.
+    #   The Amazon Pinpoint analytics metadata that contributes to your
+    #   metrics for `ResendConfirmationCode` calls.
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] client_metadata
@@ -7532,6 +7732,7 @@ module Aws::CognitoIdentityProvider
     #           analytics_endpoint_id: "StringType",
     #         },
     #         user_context_data: {
+    #           ip_address: "StringType",
     #           encoded_data: "StringType",
     #         },
     #         client_metadata: {
@@ -7577,13 +7778,27 @@ module Aws::CognitoIdentityProvider
     #   * `PASSWORD_VERIFIER`\: `PASSWORD_CLAIM_SIGNATURE`,
     #     `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
     #
-    #     <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when signing in with a
+    #     <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when you sign in with a
     #     remembered device.
     #
     #      </note>
     #
-    #   * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
-    #     attributes, `USERNAME`.
+    #   * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
+    #     `SECRET_HASH` (if app client is configured with client secret). To
+    #     set any required attributes that Amazon Cognito returned as
+    #     `requiredAttributes` in the `InitiateAuth` response, add a
+    #     `userAttributes.attributename ` parameter. This parameter can also
+    #     set values for writable attributes that aren't required by your
+    #     user pool.
+    #
+    #     <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
+    #     a required attribute that already has a value. In
+    #     `RespondToAuthChallenge`, set a value for any keys that Amazon
+    #     Cognito returned in the `requiredAttributes` parameter, then use
+    #     the `UpdateUserAttributes` API operation to modify the value of
+    #     any additional attributes.
+    #
+    #      </note>
     #
     #   * `SOFTWARE_TOKEN_MFA`\: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE`
     #     are required attributes.
@@ -7600,14 +7815,16 @@ module Aws::CognitoIdentityProvider
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] analytics_metadata
-    #   The Amazon Pinpoint analytics metadata for collecting metrics for
-    #   `RespondToAuthChallenge` calls.
+    #   The Amazon Pinpoint analytics metadata that contributes to your
+    #   metrics for `RespondToAuthChallenge` calls.
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] user_context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] client_metadata
@@ -7903,13 +8120,13 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] mutable
     #   Specifies whether the value of the attribute can be changed.
     #
-    #   For any user pool attribute that is mapped to an identity provider
-    #   attribute, you must set this parameter to `true`. Amazon Cognito
-    #   updates mapped attributes when users sign in to your application
-    #   through an identity provider. If an attribute is immutable, Amazon
-    #   Cognito throws an error when it attempts to update the attribute.
-    #   For more information, see [Specifying Identity Provider Attribute
-    #   Mappings for Your User Pool][1].
+    #   For any user pool attribute that is mapped to an IdP attribute, you
+    #   must set this parameter to `true`. Amazon Cognito updates mapped
+    #   attributes when users sign in to your application through an IdP. If
+    #   an attribute is immutable, Amazon Cognito throws an error when it
+    #   attempts to update the attribute. For more information, see
+    #   [Specifying Identity Provider Attribute Mappings for Your User
+    #   Pool][1].
     #
     #
     #
@@ -8131,11 +8348,12 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SMSMfaSettingsType]
     #
     # @!attribute [rw] software_token_mfa_settings
-    #   The time-based one-time password software token MFA settings.
+    #   The time-based one-time password (TOTP) software token MFA settings.
     #   @return [Types::SoftwareTokenMfaSettingsType]
     #
     # @!attribute [rw] access_token
-    #   The access token for the user.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   MFA preference you want to set.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserMFAPreferenceRequest AWS API Documentation
@@ -8254,7 +8472,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token for the set user settings request.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   user settings you want to configure.
     #   @return [String]
     #
     # @!attribute [rw] mfa_options
@@ -8303,6 +8522,7 @@ module Aws::CognitoIdentityProvider
     #           analytics_endpoint_id: "StringType",
     #         },
     #         user_context_data: {
+    #           ip_address: "StringType",
     #           encoded_data: "StringType",
     #         },
     #         client_metadata: {
@@ -8340,14 +8560,16 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] analytics_metadata
-    #   The Amazon Pinpoint analytics metadata for collecting metrics for
-    #   `SignUp` calls.
+    #   The Amazon Pinpoint analytics metadata that contributes to your
+    #   metrics for `SignUp` calls.
     #   @return [Types::AnalyticsMetadataType]
     #
     # @!attribute [rw] user_context_data
-    #   Contextual data such as the user's device fingerprint, IP address,
-    #   or location used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Contextual data about your user session, such as the device
+    #   fingerprint, IP address, or location. Amazon Cognito advanced
+    #   security evaluates the risk of an authentication event based on the
+    #   context that your app generates and passes to Amazon Cognito when it
+    #   makes API requests.
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] client_metadata
@@ -8760,8 +8982,8 @@ module Aws::CognitoIdentityProvider
     #
     class TagResourceResponse < Aws::EmptyStructure; end
 
-    # The data type for TokenValidityUnits that specifics the time
-    # measurements for token validity.
+    # The data type TokenValidityUnits specifies the time units you use when
+    # you set the duration of ID, access, and refresh tokens.
     #
     # @note When making an API call, you may pass TokenValidityUnitsType
     #   data as a hash:
@@ -8773,18 +8995,21 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   A time unit in “seconds”, “minutes”, “hours”, or “days” for the
-    #   value in AccessTokenValidity, defaulting to hours.
+    #   A time unit of `seconds`, `minutes`, `hours`, or `days` for the
+    #   value that you set in the `AccessTokenValidity` parameter. The
+    #   default `AccessTokenValidity` time unit is hours.
     #   @return [String]
     #
     # @!attribute [rw] id_token
-    #   A time unit in “seconds”, “minutes”, “hours”, or “days” for the
-    #   value in IdTokenValidity, defaulting to hours.
+    #   A time unit of `seconds`, `minutes`, `hours`, or `days` for the
+    #   value that you set in the `IdTokenValidity` parameter. The default
+    #   `IdTokenValidity` time unit is hours.
     #   @return [String]
     #
     # @!attribute [rw] refresh_token
-    #   A time unit in “seconds”, “minutes”, “hours”, or “days” for the
-    #   value in RefreshTokenValidity, defaulting to days.
+    #   A time unit of `seconds`, `minutes`, `hours`, or `days` for the
+    #   value that you set in the `RefreshTokenValidity` parameter. The
+    #   default `RefreshTokenValidity` time unit is days.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/TokenValidityUnitsType AWS API Documentation
@@ -9049,7 +9274,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   device status you want to update.
     #   @return [String]
     #
     # @!attribute [rw] device_key
@@ -9158,20 +9384,20 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] provider_name
-    #   The identity provider name.
+    #   The IdP name.
     #   @return [String]
     #
     # @!attribute [rw] provider_details
-    #   The identity provider details to be updated, such as `MetadataURL`
-    #   and `MetadataFile`.
+    #   The IdP details to be updated, such as `MetadataURL` and
+    #   `MetadataFile`.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] attribute_mapping
-    #   The identity provider attribute mapping to be changed.
+    #   The IdP attribute mapping to be changed.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] idp_identifiers
-    #   A list of identity provider identifiers.
+    #   A list of IdP identifiers.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderRequest AWS API Documentation
@@ -9187,7 +9413,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The identity provider object.
+    #   The IdP object.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderResponse AWS API Documentation
@@ -9275,10 +9501,19 @@ module Aws::CognitoIdentityProvider
     #
     #   For custom attributes, you must prepend the `custom:` prefix to the
     #   attribute name.
+    #
+    #   If you have set an attribute to require verification before Amazon
+    #   Cognito updates its value, this request doesn’t immediately update
+    #   the value of that attribute. After your user receives and responds
+    #   to a verification message to verify the new value, Amazon Cognito
+    #   updates the attribute value. Your user can sign in and receive
+    #   messages with the original attribute value until they verify the new
+    #   value.
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] access_token
-    #   The access token for the request to update user attributes.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   user attributes you want to update.
     #   @return [String]
     #
     # @!attribute [rw] client_metadata
@@ -9381,6 +9616,7 @@ module Aws::CognitoIdentityProvider
     #         },
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #         enable_token_revocation: false,
+    #         enable_propagate_additional_user_context_data: false,
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -9397,23 +9633,53 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] refresh_token_validity
-    #   The time limit, in days, after which the refresh token is no longer
-    #   valid and can't be used.
+    #   The refresh token time limit. After this limit expires, your user
+    #   can't use their refresh token. To specify the time unit for
+    #   `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
+    #   set a `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `RefreshTokenValidity` as `10` and
+    #   `TokenValidityUnits` as `days`, your user can refresh their session
+    #   and retrieve new access and ID tokens for 10 days.
+    #
+    #   The default time unit for `RefreshTokenValidity` in an API request
+    #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
+    #   Amazon Cognito overrides the value with the default value of 30
+    #   days. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
-    #   The time limit after which the access token is no longer valid and
-    #   can't be used.
+    #   The access token time limit. After this limit expires, your user
+    #   can't use their access token. To specify the time unit for
+    #   `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
+    #   set a `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `AccessTokenValidity` to `10` and
+    #   `TokenValidityUnits` to `hours`, your user can authorize access with
+    #   their access token for 10 hours.
+    #
+    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   hours. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
-    #   The time limit after which the ID token is no longer valid and
-    #   can't be used.
+    #   The ID token time limit. After this limit expires, your user can't
+    #   use their ID token. To specify the time unit for `IdTokenValidity`
+    #   as `seconds`, `minutes`, `hours`, or `days`, set a
+    #   `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `IdTokenValidity` as `10` and
+    #   `TokenValidityUnits` as `hours`, your user can authenticate their
+    #   session with their ID token for 10 hours.
+    #
+    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   hours. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
-    #   The units in which the validity times are represented. Default for
-    #   RefreshToken is days, and default for ID and access tokens is hours.
+    #   The units in which the validity times are represented. The default
+    #   unit for RefreshToken is days, and the default for ID and access
+    #   tokens is hours.
     #   @return [Types::TokenValidityUnitsType]
     #
     # @!attribute [rw] read_attributes
@@ -9453,13 +9719,14 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
-    #   A list of provider names for the identity providers that are
-    #   supported on this client.
+    #   A list of provider names for the IdPs that this client supports. The
+    #   following are supported: `COGNITO`, `Facebook`, `Google`,
+    #   `SignInWithApple`, `LoginWithAmazon`, and the names of your own SAML
+    #   and OIDC providers.
     #   @return [Array<String>]
     #
     # @!attribute [rw] callback_urls
-    #   A list of allowed redirect (callback) URLs for the identity
-    #   providers.
+    #   A list of allowed redirect (callback) URLs for the IdPs.
     #
     #   A redirect URI must:
     #
@@ -9482,7 +9749,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] logout_urls
-    #   A list of allowed logout URLs for the identity providers.
+    #   A list of allowed logout URLs for the IdPs.
     #   @return [Array<String>]
     #
     # @!attribute [rw] default_redirect_uri
@@ -9511,22 +9778,28 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] allowed_o_auth_flows
     #   The allowed OAuth flows.
     #
-    #   Set to `code` to initiate a code grant flow, which provides an
-    #   authorization code as the response. This code can be exchanged for
-    #   access tokens with the token endpoint.
+    #   code
     #
-    #   Set to `implicit` to specify that the client should get the access
-    #   token (and, optionally, ID token, based on scopes) directly.
+    #   : Use a code grant flow, which provides an authorization code as the
+    #     response. This code can be exchanged for access tokens with the
+    #     `/oauth2/token` endpoint.
     #
-    #   Set to `client_credentials` to specify that the client should get
-    #   the access token (and, optionally, ID token, based on scopes) from
-    #   the token endpoint using a combination of client and client\_secret.
+    #   implicit
+    #
+    #   : Issue the access token (and, optionally, ID token, based on
+    #     scopes) directly to your user.
+    #
+    #   client\_credentials
+    #
+    #   : Issue the access token from the `/oauth2/token` endpoint directly
+    #     to a non-person user using a combination of the client ID and
+    #     client secret.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_scopes
-    #   The allowed OAuth scopes. Possible values provided by OAuth are:
+    #   The allowed OAuth scopes. Possible values provided by OAuth are
     #   `phone`, `email`, `openid`, and `profile`. Possible values provided
-    #   by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
+    #   by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
     #   scopes created in Resource Servers are also supported.
     #   @return [Array<String>]
     #
@@ -9536,8 +9809,8 @@ module Aws::CognitoIdentityProvider
     #   @return [Boolean]
     #
     # @!attribute [rw] analytics_configuration
-    #   The Amazon Pinpoint analytics configuration for collecting metrics
-    #   for this user pool.
+    #   The Amazon Pinpoint analytics configuration necessary to collect
+    #   metrics for this user pool.
     #
     #   <note markdown="1"> In Amazon Web Services Regions where Amazon Pinpoint isn't
     #   available, user pools only support sending events to Amazon Pinpoint
@@ -9576,6 +9849,20 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
     #   @return [Boolean]
     #
+    # @!attribute [rw] enable_propagate_additional_user_context_data
+    #   Activates the propagation of additional user context data. For more
+    #   information about propagation of user context data, see [ Adding
+    #   advanced security to a user pool][1]. If you don’t include this
+    #   parameter, you can't send device fingerprint information, including
+    #   source IP address, to Amazon Cognito advanced security. You can only
+    #   activate `EnablePropagateAdditionalUserContextData` in an app client
+    #   that has a client secret.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClientRequest AWS API Documentation
     #
     class UpdateUserPoolClientRequest < Struct.new(
@@ -9598,7 +9885,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors,
-      :enable_token_revocation)
+      :enable_token_revocation,
+      :enable_propagate_additional_user_context_data)
       SENSITIVE = [:client_id]
       include Aws::Structure
     end
@@ -9729,6 +10017,9 @@ module Aws::CognitoIdentityProvider
     #           default_email_option: "CONFIRM_WITH_LINK", # accepts CONFIRM_WITH_LINK, CONFIRM_WITH_CODE
     #         },
     #         sms_authentication_message: "SmsVerificationMessageType",
+    #         user_attribute_update_settings: {
+    #           attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
+    #         },
     #         mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
     #         device_configuration: {
     #           challenge_required_on_new_device: false,
@@ -9809,8 +10100,21 @@ module Aws::CognitoIdentityProvider
     #   The contents of the SMS authentication message.
     #   @return [String]
     #
+    # @!attribute [rw] user_attribute_update_settings
+    #   The settings for updates to user attributes. These settings include
+    #   the property `AttributesRequireVerificationBeforeUpdate`, a
+    #   user-pool setting that tells Amazon Cognito how to handle changes to
+    #   the value of your users' email address and phone number attributes.
+    #   For more information, see [ Verifying updates to email addresses and
+    #   phone numbers][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
+    #   @return [Types::UserAttributeUpdateSettingsType]
+    #
     # @!attribute [rw] mfa_configuration
-    #   Can be one of the following values:
+    #   Possible values include:
     #
     #   * `OFF` - MFA tokens aren't required and can't be specified during
     #     user registration.
@@ -9829,7 +10133,14 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] device_configuration
-    #   Device configuration.
+    #   The device-remembering configuration for a user pool. A null value
+    #   indicates that you have deactivated device remembering in your user
+    #   pool.
+    #
+    #   <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
+    #   activate the Amazon Cognito device-remembering feature.
+    #
+    #    </note>
     #   @return [Types::DeviceConfigurationType]
     #
     # @!attribute [rw] email_configuration
@@ -9886,6 +10197,7 @@ module Aws::CognitoIdentityProvider
       :email_verification_subject,
       :verification_message_template,
       :sms_authentication_message,
+      :user_attribute_update_settings,
       :mfa_configuration,
       :device_configuration,
       :email_configuration,
@@ -9905,6 +10217,60 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateUserPoolResponse < Aws::EmptyStructure; end
 
+    # The settings for updates to user attributes. These settings include
+    # the property `AttributesRequireVerificationBeforeUpdate`, a user-pool
+    # setting that tells Amazon Cognito how to handle changes to the value
+    # of your users' email address and phone number attributes. For more
+    # information, see [ Verifying updates to email addresses and phone
+    # numbers][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
+    #
+    # @note When making an API call, you may pass UserAttributeUpdateSettingsType
+    #   data as a hash:
+    #
+    #       {
+    #         attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
+    #       }
+    #
+    # @!attribute [rw] attributes_require_verification_before_update
+    #   Requires that your user verifies their email address, phone number,
+    #   or both before Amazon Cognito updates the value of that attribute.
+    #   When you update a user attribute that has this option activated,
+    #   Amazon Cognito sends a verification message to the new phone number
+    #   or email address. Amazon Cognito doesn’t change the value of the
+    #   attribute until your user responds to the verification message and
+    #   confirms the new value.
+    #
+    #   You can verify an updated email address or phone number with a
+    #   [VerifyUserAttribute][1] API request. You can also call the
+    #   [UpdateUserAttributes][2] or [AdminUpdateUserAttributes][3] API and
+    #   set `email_verified` or `phone_number_verified` to true.
+    #
+    #   When `AttributesRequireVerificationBeforeUpdate` is false, your user
+    #   pool doesn't require that your users verify attribute changes
+    #   before Amazon Cognito updates them. In a user pool where
+    #   `AttributesRequireVerificationBeforeUpdate` is false, API operations
+    #   that change attribute values can immediately update a user’s `email`
+    #   or `phone_number` attribute.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html
+    #   [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
+    #   [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserAttributeUpdateSettingsType AWS API Documentation
+    #
+    class UserAttributeUpdateSettingsType < Struct.new(
+      :attributes_require_verification_before_update)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contextual data, such as the user's device fingerprint, IP address,
     # or location, used for evaluating the risk of an unexpected event by
     # Amazon Cognito advanced security.
@@ -9913,18 +10279,29 @@ module Aws::CognitoIdentityProvider
     #   data as a hash:
     #
     #       {
+    #         ip_address: "StringType",
     #         encoded_data: "StringType",
     #       }
     #
+    # @!attribute [rw] ip_address
+    #   The source IP address of your user's device.
+    #   @return [String]
+    #
     # @!attribute [rw] encoded_data
-    #   Contextual data, such as the user's device fingerprint, IP address,
-    #   or location, used for evaluating the risk of an unexpected event by
-    #   Amazon Cognito advanced security.
+    #   Encoded device-fingerprint details that your app collected with the
+    #   Amazon Cognito context data collection library. For more
+    #   information, see [Adding user device and session data to API
+    #   requests][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserContextDataType AWS API Documentation
     #
     class UserContextDataType < Struct.new(
+      :ip_address,
       :encoded_data)
       SENSITIVE = []
       include Aws::Structure
@@ -10174,24 +10551,52 @@ module Aws::CognitoIdentityProvider
     #   @return [Time]
     #
     # @!attribute [rw] refresh_token_validity
-    #   The time limit, in days, after which the refresh token is no longer
-    #   valid and can't be used.
+    #   The refresh token time limit. After this limit expires, your user
+    #   can't use their refresh token. To specify the time unit for
+    #   `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
+    #   set a `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `RefreshTokenValidity` as `10` and
+    #   `TokenValidityUnits` as `days`, your user can refresh their session
+    #   and retrieve new access and ID tokens for 10 days.
+    #
+    #   The default time unit for `RefreshTokenValidity` in an API request
+    #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
+    #   Amazon Cognito overrides the value with the default value of 30
+    #   days. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
-    #   The time limit, specified by tokenValidityUnits, defaulting to
-    #   hours, after which the access token is no longer valid and can't be
-    #   used.
+    #   The access token time limit. After this limit expires, your user
+    #   can't use their access token. To specify the time unit for
+    #   `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
+    #   set a `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `AccessTokenValidity` to `10` and
+    #   `TokenValidityUnits` to `hours`, your user can authorize access with
+    #   their access token for 10 hours.
+    #
+    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   hours. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
-    #   The time limit specified by tokenValidityUnits, defaulting to hours,
-    #   after which the refresh token is no longer valid and can't be used.
+    #   The ID token time limit. After this limit expires, your user can't
+    #   use their ID token. To specify the time unit for `IdTokenValidity`
+    #   as `seconds`, `minutes`, `hours`, or `days`, set a
+    #   `TokenValidityUnits` value in your API request.
+    #
+    #   For example, when you set `IdTokenValidity` as `10` and
+    #   `TokenValidityUnits` as `hours`, your user can authenticate their
+    #   session with their ID token for 10 hours.
+    #
+    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   hours. *Valid range* is displayed below in seconds.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
-    #   The time units used to specify the token validity times of their
-    #   respective token.
+    #   The time units used to specify the token validity times of each
+    #   token type: ID, access, and refresh.
     #   @return [Types::TokenValidityUnitsType]
     #
     # @!attribute [rw] read_attributes
@@ -10231,13 +10636,14 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
-    #   A list of provider names for the identity providers that are
-    #   supported on this client.
+    #   A list of provider names for the IdPs that this client supports. The
+    #   following are supported: `COGNITO`, `Facebook`, `Google`,
+    #   `SignInWithApple`, `LoginWithAmazon`, and the names of your own SAML
+    #   and OIDC providers.
     #   @return [Array<String>]
     #
     # @!attribute [rw] callback_urls
-    #   A list of allowed redirect (callback) URLs for the identity
-    #   providers.
+    #   A list of allowed redirect (callback) URLs for the IdPs.
     #
     #   A redirect URI must:
     #
@@ -10260,7 +10666,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] logout_urls
-    #   A list of allowed logout URLs for the identity providers.
+    #   A list of allowed logout URLs for the IdPs.
     #   @return [Array<String>]
     #
     # @!attribute [rw] default_redirect_uri
@@ -10289,23 +10695,30 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] allowed_o_auth_flows
     #   The allowed OAuth flows.
     #
-    #   Set to `code` to initiate a code grant flow, which provides an
-    #   authorization code as the response. This code can be exchanged for
-    #   access tokens with the token endpoint.
+    #   code
+    #
+    #   : Use a code grant flow, which provides an authorization code as the
+    #     response. This code can be exchanged for access tokens with the
+    #     `/oauth2/token` endpoint.
+    #
+    #   implicit
     #
-    #   Set to `implicit` to specify that the client should get the access
-    #   token (and, optionally, ID token, based on scopes) directly.
+    #   : Issue the access token (and, optionally, ID token, based on
+    #     scopes) directly to your user.
     #
-    #   Set to `client_credentials` to specify that the client should get
-    #   the access token (and, optionally, ID token, based on scopes) from
-    #   the token endpoint using a combination of client and client\_secret.
+    #   client\_credentials
+    #
+    #   : Issue the access token from the `/oauth2/token` endpoint directly
+    #     to a non-person user using a combination of the client ID and
+    #     client secret.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_scopes
-    #   The allowed OAuth scopes. Possible values provided by OAuth are:
-    #   `phone`, `email`, `openid`, and `profile`. Possible values provided
-    #   by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
-    #   scopes created in Resource Servers are also supported.
+    #   The OAuth scopes that your app client supports. Possible values that
+    #   OAuth provides are `phone`, `email`, `openid`, and `profile`.
+    #   Possible values that Amazon Web Services provides are
+    #   `aws.cognito.signin.user.admin`. Amazon Cognito also supports custom
+    #   scopes that you create in Resource Servers.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -10339,8 +10752,8 @@ module Aws::CognitoIdentityProvider
     #
     #   * `ENABLED` - This prevents user existence-related errors.
     #
-    #   * `LEGACY` - This represents the old behavior of Cognito where user
-    #     existence related errors aren't prevented.
+    #   * `LEGACY` - This represents the old behavior of Amazon Cognito
+    #     where user existence related errors aren't prevented.
     #   @return [String]
     #
     # @!attribute [rw] enable_token_revocation
@@ -10354,6 +10767,33 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
     #   @return [Boolean]
     #
+    # @!attribute [rw] enable_propagate_additional_user_context_data
+    #   When `EnablePropagateAdditionalUserContextData` is true, Amazon
+    #   Cognito accepts an `IpAddress` value that you send in the
+    #   `UserContextData` parameter. The `UserContextData` parameter sends
+    #   information to Amazon Cognito advanced security for risk analysis.
+    #   You can send `UserContextData` when you sign in Amazon Cognito
+    #   native users with the `InitiateAuth` and `RespondToAuthChallenge`
+    #   API operations.
+    #
+    #   When `EnablePropagateAdditionalUserContextData` is false, you can't
+    #   send your user's source IP address to Amazon Cognito advanced
+    #   security with unauthenticated API operations.
+    #   `EnablePropagateAdditionalUserContextData` doesn't affect whether
+    #   you can send a source IP address in a `ContextData` parameter with
+    #   the authenticated API operations `AdminInitiateAuth` and
+    #   `AdminRespondToAuthChallenge`.
+    #
+    #   You can only activate `EnablePropagateAdditionalUserContextData` in
+    #   an app client that has a client secret. For more information about
+    #   propagation of user context data, see [Adding user device and
+    #   session data to API requests][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolClientType AWS API Documentation
     #
     class UserPoolClientType < Struct.new(
@@ -10379,7 +10819,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors,
-      :enable_token_revocation)
+      :enable_token_revocation,
+      :enable_propagate_additional_user_context_data)
       SENSITIVE = [:client_id, :client_secret]
       include Aws::Structure
     end
@@ -10532,6 +10973,19 @@ module Aws::CognitoIdentityProvider
     #   The contents of the SMS authentication message.
     #   @return [String]
     #
+    # @!attribute [rw] user_attribute_update_settings
+    #   The settings for updates to user attributes. These settings include
+    #   the property `AttributesRequireVerificationBeforeUpdate`, a
+    #   user-pool setting that tells Amazon Cognito how to handle changes to
+    #   the value of your users' email address and phone number attributes.
+    #   For more information, see [ Verifying updates to email addresses and
+    #   phone numbers][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
+    #   @return [Types::UserAttributeUpdateSettingsType]
+    #
     # @!attribute [rw] mfa_configuration
     #   Can be one of the following values:
     #
@@ -10546,7 +11000,14 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] device_configuration
-    #   The device configuration.
+    #   The device-remembering configuration for a user pool. A null value
+    #   indicates that you have deactivated device remembering in your user
+    #   pool.
+    #
+    #   <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
+    #   activate the Amazon Cognito device-remembering feature.
+    #
+    #    </note>
     #   @return [Types::DeviceConfigurationType]
     #
     # @!attribute [rw] estimated_number_of_users
@@ -10681,6 +11142,7 @@ module Aws::CognitoIdentityProvider
       :email_verification_subject,
       :verification_message_template,
       :sms_authentication_message,
+      :user_attribute_update_settings,
       :mfa_configuration,
       :device_configuration,
       :estimated_number_of_users,
@@ -10700,7 +11162,7 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The user type.
+    # A user profile in a Amazon Cognito user pool.
     #
     # @!attribute [rw] username
     #   The user name of the user you want to describe.
@@ -10729,6 +11191,8 @@ module Aws::CognitoIdentityProvider
     #
     #   * CONFIRMED - User has been confirmed.
     #
+    #   * EXTERNAL\_PROVIDER - User signed in with a third-party IdP.
+    #
     #   * ARCHIVED - User is no longer active.
     #
     #   * UNKNOWN - User status isn't known.
@@ -10770,7 +11234,7 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] case_sensitive
-    #   Specifies whether username case sensitivity will be applied for all
+    #   Specifies whether user name case sensitivity will be applied for all
     #   users in the user pool through Amazon Cognito APIs.
     #
     #   Valid values include:
@@ -10830,12 +11294,16 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] sms_message
-    #   The SMS message template.
+    #   The template for SMS messages that Amazon Cognito sends to your
+    #   users.
     #   @return [String]
     #
     # @!attribute [rw] email_message
-    #   The email message template. EmailMessage is allowed only if [
-    #   EmailSendingAccount][1] is DEVELOPER.
+    #   The template for email messages that Amazon Cognito sends to your
+    #   users. You can set an `EmailMessage` template only if the value of [
+    #   EmailSendingAccount][1] is `DEVELOPER`. When your
+    #   [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
+    #   messages with your own Amazon SES configuration.
     #
     #
     #
@@ -10843,8 +11311,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] email_subject
-    #   The subject line for the email message template. EmailSubject is
-    #   allowed only if [EmailSendingAccount][1] is DEVELOPER.
+    #   The subject line for the email message template. You can set an
+    #   `EmailSubject` template only if the value of [
+    #   EmailSendingAccount][1] is `DEVELOPER`. When your
+    #   [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
+    #   messages with your own Amazon SES configuration.
     #
     #
     #
@@ -10853,8 +11324,10 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] email_message_by_link
     #   The email message template for sending a confirmation link to the
-    #   user. EmailMessageByLink is allowed only if [
-    #   EmailSendingAccount][1] is DEVELOPER.
+    #   user. You can set an `EmailMessageByLink` template only if the value
+    #   of [ EmailSendingAccount][1] is `DEVELOPER`. When your
+    #   [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
+    #   messages with your own Amazon SES configuration.
     #
     #
     #
@@ -10863,8 +11336,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] email_subject_by_link
     #   The subject line for the email message template for sending a
-    #   confirmation link to the user. EmailSubjectByLink is allowed only [
-    #   EmailSendingAccount][1] is DEVELOPER.
+    #   confirmation link to the user. You can set an `EmailSubjectByLink`
+    #   template only if the value of [ EmailSendingAccount][1] is
+    #   `DEVELOPER`. When your [EmailSendingAccount][1] is `DEVELOPER`, your
+    #   user pool sends email messages with your own Amazon SES
+    #   configuration.
     #
     #
     #
@@ -10899,7 +11375,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   software token you want to verify.
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -10961,7 +11438,8 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] access_token
-    #   The access token of the request to verify user attributes.
+    #   A valid access token that Amazon Cognito issued to the user whose
+    #   user attributes you want to verify.
     #   @return [String]
     #
     # @!attribute [rw] attribute_name